Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Abstract: With popularization of internet, internet attack belongings are also increasing, thus information safety has became a
important issue all over the world, Nowadays, it is an critical need to detect, identify and hold up such attacks effectively. In this
modern world, intrusion occurs in a fraction of seconds and Intruders expertly use the modified version of command and
thereby erase their footprints in audit and log files. Successful IDS academically make different both intrusive and nonintrusive
records. Most of the existing systems have security breaches that make them purely vulnerable and could not be solved. In this
paper, we provide review of various Intrusion Detection Systems in the literature.
Keywords: Intrusion Detection, Data Mining, Clustering, k-means, improved k-means
I. INTRODUCTION
In the world of communication, Most of our essential data is stored in a computer remote and in the most cases, we exchange it over
a network hence security is a big concern. It not just our data transmitting over the network but different types of attacks that can
harm our stored data. Therefore, monitoring computer system, its logs (administration, security, system and network logs) and
protecting our crucial data is necessary. An intrusion detection system is an application that provides protection from malicious
activities or policy violations and generates various rules to defend computer security and this system is relevant for intrusion
detection. On any platform, intrusion detection system can be designed and developed but for its better functionality, we are using
data mining technique [1]. IDS can also classified in terms of detection behaviour into misuse–based and anomaly–based detections.
The first approach, based on signature matching while the second is to detect the anomaly behaviour from the network. Each has its
own strength in order to cope with both known and unknown attacks in an efficient way with high detection precision and speed. In
Information Security, intrusion detection is the act of detecting actions that attempt to compromise the integrity, confidentiality, or
availability of a resource. In 1980, James Anderson first introduced the concept of Intrusion Detection. Since then, Intrusion
detection techniques are considering as the second gate for providing networks security behind firewalls. The purpose of Intrusion
Detection Systems (IDS) is to design and detect attacks against computer systems over insecure networks by the way that detects
attempts by legitimate users to abuse their privileges or to exploit security vulnerabilities for comprising the computers. In fact,
Intrusion detection is a process of gathering intrusion related knowledge occurring during the system monitoring, and then analysing
collected data to draw a conclusion whether the system is intrusive or nor according the user activity, system logs, etc. Having
detecting the some possible intrusion behaviours, the IDS raise the alarm to the network administrator and do some protection
processing [2]. In this paper, we provide review of various Intrusion Detection Systems in the literature
A. Selfish Behaviours
Selfish node does not cooperate in any network functions and exploits the services of the network for its advantage, in order to save
its own resources such as battery life. While such misbehaviour may not be launched with explicitly bad intentions, it can lead to
serious disruptions in network communications such as high route discovery delays and dropped data packets. To render its selfish
behaviour undetectable, selfish node can use multiple identities (e.g. Sybil attack) .
1) Routing Messages Dropping: Selfish node intentionally drops routing packets that are not destined for it, or forwards those
packets but with a time-to live (TTL) of 0 to prevent the creation of routes. There by the selfish node can avoid forwarding
many subsequent data packets. This attack may reduce the network performance and prevent end-to-end communications
between nodes, if the dropping node is at a critical point in the network.
2) Routing Metric Inflation: Selfish node may make routes through itself appear longer than they actually are, by increasing hop
counts so the source nodes are more probably to select other routes that seem to be shorter. Selfish node can also generate
packets that advertise arbitrarily high distance to a given destination, or stops announcing updates that contain better routes that
pass through it. In routing protocols that suppress duplicate packets, such as DSR and AODV , where each node forwards only
the first received packet and deletes any later copies of the same packet. Selfish node can break this rule by waiting to receive
several duplicates and then forwards the packet with the highest routing metric, decreasing the probability of being selected in
the discovered route.
B. Malicious Attack
1) Modification: Modification is the most common attack; in which malicious node modifies the content fields of routing packets
that transit through it. A malicious node could modify packets before rebroadcasting them, so that they include less attractive
metrics, false addresses, and fake hop count in order to redirect network traffic. This attack can cause severe routing disruptions
such as; conflicted and suboptimal routes, erroneous routing table, network partition and lose of connectivity.
2) Fabrication : This attack refers to the generation of faked routing messages, in order to disrupt network operation or to deplete
other nodes’ resources. Such attack is difficult to detect.
3) Impersonation: Also called spoofing attack, it usually constitutes the first step in the majority of attacks. The malicious node
hides its real identity and takes legitimate node’s identity, thus it can receive all the messages destined to this node and gain
access to the network. This attack can also be used for creating loops in order to isolate a target node from the rest of the
network.
4) Black Hole: This attack exploits the vulnerabilities of routing protocols and it is carried out in two steps. First, the malicious
node attracts traffic through itself by advertising better routes to the requested destinations. Afterward, the malicious node drops
all the data or control packets passing through it without any forwarding.
5) Gray Hole: This attack is a refined form of black hole attack, in which a malicious node drops only selected packets and
forwards the others, depends on the source or the destination of Packets. Another kind of gray hole may behave maliciously for
a given period by dropping all packets then switch to normal behaviour later. This attack defeats trust-based mechanisms and
makes the detection of malicious node more difficult to achieve.
6) Wormhole: Also called tunnelling attack, it is one of the most sophisticated attacks in MANETs. In this attack, a malicious node
captures packets from one location in a network and tunnels them through an out-of-band channel to another malicious node
located several hops away, which replays them to its neigh boring nodes, . The tunnel between the malicious nodes is actually
faster than links between legitimate nodes, so the tunnelled packets arrive sooner than packets through other routes. Therefore,
the malicious nodes are more likely to be included in the route and take an advantage for future attack. Detection of wormhole
attack is generally difficult, and requires the use of an unalterable and independent physical metric, such as time delay or
geographical location.
7) Rushing: This attack can be carried out against on-demand routing protocols that use duplicate suppression in their operations.
In order to reduce the route discovery overhead, each intermediate node processes only the first received route request packets
and rejects any duplicate packets that arrive later. Rushing node exploits this mechanism by disseminating route request packets
in order to be included in the discovered routes. Rushing attack can be performed in many ways: by transmitting at a higher
wireless transmission power level, by ignoring delays at MAC or routing layers, by keeping other nodes’ transmission queues
full or by using a wormhole tunnel.
8) Byzantine: A malicious node or a group of malicious nodes create or modify control packets with false routing information in
order to disrupt or degrade the routing operation. This attack is not easy to detect because it has not a specific form; the
malicious node can create routing loops, drops or diverts packets to non-optimal routes .
9) Location Disclosure: Location disclosure is an attack that aims the privacy attribute of an ad hoc network. A malicious node
can reveal important information such as location of nodes, or even the structure of the entire network, by the use of traffic
analysis techniques, or with simpler probing and monitoring approaches. Colluding nodes may gather information regarding the
identities of communication parties; analyze traffic to learn the network traffic pattern, track changes in the traffic pattern, and
then plans further attack scenarios. The leakage of such information is devastating in security sensitive scenarios.
10) Blackmail: This attack occurs against routing protocols that employs malicious detection mechanisms like Watchdog and
bathwater. Malicious node may exploit these mechanisms to blackmail legitimate nodes in order to incite other legitimate nodes
to put those legitimate nodes in their blacklists.
A. Sang-Hyun Oh et al.(2006)
Described in their paper “In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an
important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit
data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be
overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm
which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature,
the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed
clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of
the user can be continuously reflected to the ongoing result of clustering”[4].
Proposed “a two-phase classification method. Specifically, in the first phase, a set of patterns (data) are clustered by the k-means
algorithm. In the second phase, outliers are constructed by a distance-based technique and a class label is assigned to each pattern.
The Knowledge Discovery Databases (KDD) Cup 1999 data set, which has been utilized extensively for development of intrusion
detection systems, is used in our experiment. The results show that the proposed method is effective in intrusion detection [9].
G. Li Hanguang et al.(2013)
Has described that “By analysing the technology of Intrusion Detection System and Data mining in this paper, the author uses
Apriori algorithm which is the classic of association rules in Web-based Intrusion Detection System and applies the rule base
generated by the Apriori algorithm to identify a variety of attacks, improves the overall performance of the detection system”[10].
H. Subaira. A. S et al.(2013)
Specify that “In spite of growing information system widely, security has remained one hard-hitting area for computers as well as
networks. In information protection, Intrusion Detection System (IDS) is used to safeguard the data confidentiality, integrity and
system availability from various types of attacks. Data mining is an efficient artifice that can be applied to intrusion detection to
ascertain a new outline from the massive network data as well as it use to reduce the strain of the manual compilations of the normal
and abnormal behavior patterns. This work reviews the present state of data mining techniques and compares various data mining
techniques used to implement an intrusion detection system such as, Support Vector Machine, Genetic Algorithm, Neural network,
Fuzzy Logic, Bayesian Classifier, K- Nearest Neighbor and decision tree Algorithms by highlighting the advantages and
disadvantages of each of the techniques” [11].
J. Chakchai et al.(2014)
Mention that Due to a rapid growth of Internet, the number of network attacks has risen leading to the essentials of network
intrusion detection systems (IDS) to secure the network. With heterogeneous accesses and huge traffic volumes, several pattern
identification techniques have been brought into the research community. Data Mining is one of the analyses which many IDSs have
adopted as an attack recognition scheme. Thus, in this paper, the classification methodology including attribute and data selections
was drawn based on the well–known classification schemes, i.e., Decision Tree, Ripper Rule, Neural Networks, Naïve Bayes, k–
Nearest–Neighbour, and Support Vector Machine, for intrusion detection analysis using both KDD CUP dataset and recent HTTP
BOTNET attacks. Performance of the evaluation was measured using recent Weka tools with a standard cross–validation and
confusion matrix [13].
Clustering plays a very vital role in exploring data, creating predictions and to overcome the anomalies in the data.
Define data mining as “Data mining is the method of extract valid, formerly known & comprehensive datasets for the future
decision making. As the enhanced knowledge by World Wide Web the streaming data come into picture with its challenges. The
data which change with time & update its cost is known as streaming data. As the most of the data is streaming in nature, there are
so many challenge need to face in the sense of security point of view. Intrusion Detection System (IDS) works in the idea of
detecting the intruders to protect the personal system. The research in data stream mining & Intrusion detection system gain high
desirability due to the meaning of system’s safety measure. An Intrusion Detection System (IDS) is important knowledge to detect
such intruders who are harmful to the system. Main goal of the IDS is to save from harm the system & network from the intruders.
IDS keep track of behaviour of the activities; if they are malicious to the system then it’ll be automatically detected by the IDS”[15].
IV. CONCLUSION
In the world of communication, Most of our crucial data is stored in a computer remote and in the most cases we exchange it over a
network hence security is a big concern. But it's not just our data transmitting over the network but different types of attacks that can
harm our stored data. With popularization of internet, internet attack belongings are also increasing, thus information safety has
became a important issue all over the world, hence Nowadays, it is an critical need to detect, identify and hold up such attacks
effectively. In this modern world intrusion occurs in a fraction of seconds and Intruders expertly use the modified version of
command and thereby erase their footprints in audit and log files. In this paper, we provided review of various Intrusion Detection
Systems in the literature.
REFERENCES
[1] Ahmed Patel, Mona Taghavi, Kaveh Bakhtiyari “An intrusion detection and prevention system in cloud computing: A systematic review “IEEE 2012.
[2] Jabez J, B. Muthukumar, “Intrusion Detection System (IDS): Anomaly Detection using Outlier Detection approach”, 2015
[3] M. L. Lab, “Intrusion detection attacks database,” 1999. [Online]. Available: http://www.ll.mit.edu/ ideval/docs/attackDB.html
[4] Sang-Hyun Oh, Jin-Suk Kang, Yung-Cheol Byun, Taikyeong T. Jeong, and Won-Suk Lee, “Anomaly Intrusion Detection Based on Clustering a Data
Stream”, © Springer-Verlag Berlin Heidelberg 2006
[5] Su-Yun Wua, Ester Yen, “Data mining-based intrusion detectors”, 2008 Published by Elsevier Ltd
[6] Chunfu Jia, Deqiang Chen, “Performance Evaluation of a Collaborative Intrusion Detection System”, 2009 Fifth International Conference on Natural
Computation, © 2009 IEEE
[7] E. Kesavulu Reddy, V. Naveen Reddy, P. Govinda Rajulu, “A Study of Intrusion Detection in Data Mining, Proceedings of the World Congress on
Engineering 2011 Vol III WCE 2011, July 6 - 8, 2011
[8] Krishna Kant Tiwari, Susheel Tiwari, Sriram Yadav, “Intrusion Detection Using Data Mining Techniques, International Journal of Advanced Computer
Technology (IJACT)”, 2012.
[9] Surasit Songma, Witcha Chimphlee, Kiattisak Maichalernnukul, Parinya Sanguansat, “Classification via k-Means Clustering and Distance-Based Outlier
Detection”, 2012 Tenth International Conference on ICT and Knowledge Engineering, ©2012 IEEE.
[10] Li Hanguang, Ni Yu, “Intrusion Detection Technology Research Based on Apriori Algorithm”, International Conference on Applied Physics and Industrial
Engineering, Published by Elsevier, 2013.
[11] Subaira. A. S, Anitha. P, “A Survey: Network Intrusion Detection System based on Data Mining Techniques”, International Journal of Computer Science and
Mobile Computing, IJCSMC, Vol. 2, Issue. 10, October 2013, pg.145 – 153
[12] Mohit Sharma, Nimish Unde, Ketan Borude, “A Data Mining Based Approach towards Detection of Low Rate DoS Attack”, 2014.
[13] Chakchai So, Nutakarn Mongkonchai, Phet Aimtongkham, “An Evaluation of Data Mining Classification Models for Network Intrusion Detection”, ©2014
IEEE.
[14] Preeti Arora, Deepali, Shipra Varshney, “Analysis of K-Means and K-Medoids Algorithm For Big Data”, International Conference on Information Security &
Privacy (ICISP2015), Published by Elsevier, 11-12 December 2015.
[15] Ketan Sanjay Desale, Chandrakant Namdev Kumathekar, Arjun Pramod Chavan, “Efficient Intrusion Detection System using Stream Data Mining
Classification Technique”, IEEE 2015.
[16] Amrit Priyadarshi M. M. Waghmare, “Use of rule base data mining algorithm for Intrusion Detection”, 2015 IEEE.
[17] Shengyi Pan, Thaomas marris, “Developing a Hybrid Intrusion Detection System Using Data Mining for Power Syetem”, IEEE 2015
[18] Anna Little, Xenia Mountrouidou, “Spectral Clustering Technique for Classifying Network Attacks”, IEEE 2016.